Can I send private (zero knowledge) transactions in StarkNet? What does it mean that ZK rollup is not really ZK (zero knowledge)?

The short answer is no (unless you implement it yourself, of course).

The long answer: Let’s starts with proofs of computational integrity : one side proves to another that a certain computation was done correctly. An optional additional feature is zero-knowledge: this means that there is a mathematical reason why you can’t learn any information from the proof except for the fact that the computation was done correctly. Most of the STARKs we’re building (the one in StarkNet included) don’t have this feature (but it’s going to be extremely hard if not impossible to extract information from the proof nevertheless).

It’s relatively easy to add to the STARK protocol (we’ve even published a repo with a ZK-STARK prover&verifier - Ziggy https://twitter.com/StarkWareLabs/status/1331930111227080709), but we’ve decided to focus on scalability for now, rather than privacy.

This is true for the term ZK-rollup in general - most ZK-rollups are not ZK… The mistake comes from the confusion between proofs of computational integrity and zero-knowledge proofs. The latter is a subset of the former, but they are not the same. You can have a proof of computational integrity which is not ZK. The requirement from ZK-rollups is only proofs of computational integrity, not zero-knowledge.

Another important thing is that a ZK proof is not enough for privacy. It doesn’t help if you have a ZK proof but you tell your secret inputs to the sequencer as part of the protocol… So the protocol must be adapted to make sure no information is leaked. One good example for such a protocol (which uses a ZK proof) is Zcash.

10 Likes